1. Metrics-Focused Analysis of Network Flow Data
Timothy Shimeall, Ph.D.

2. Distribution Statements
Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at CERT Coordination Center® and FloCon® are registered marks of Carnegie Mellon University. DM

3. Overview
Security Content Automation Protocol (SCAP) Network Management Metrics Focused Analysis

4. Security Content Automation Protocol
Common Vulnerability Enumeration
Identity
Severity score (CVSS)
Systems affected
Common Checklist Enumeration
Checklist items
Common Platform Enumeration

5. Network Management Metrics
Homogeneity (fraction of hosts made up by most common configuration)
Out-of-date (fraction of hosts in use that are no longer supported)
Modification rate of platforms
Arrival rate of platforms
Arrival rate of vulnerabilities
Departure rate of vulnerabilities
Recurrence of vulnerabilities
Arbaugh W., Fifthen, W., McHugh, J. “Windows of Vulnerability, A Case Study Analysis.” IEEE Computer. December pp

6. Example 1: Assessing Patch Efficiency
Patch Efficiency – mitigations are applied for significant (serious and exploitable) vulnerabilities prior to exploitation
Metrics:
Modification rate of platforms
Arrival rate of vulnerabilities
Departure rate of vulnerabilities
Flow Analysis:
Response to scanning
Bytes/Packet/Second classification
Service abnormalities
Campbell, G. “MEASURES and METRICS In CORPORATE SECURITY.” Security Executive Council Publication Series. January 2008.

7. Example 2: Quantifying Vulnerability Exposure
Vulnerability exposure – Probable loss associated with vulnerabilities in a given network service
Metrics:
Arrival rate of vulnerabilities
Departure rate of vulnerabilities
Recurrence of vulnerabilities
Flow Analysis:
Filter by service
Bytes/packet/second clustering
Responses to scanning
Service baseline use
Compare to overall network usage

8. Example 3: Measuring APT Vulnerability
Advanced Persistent Threat Vulnerability: opportunities for threats to exploit collateral vulnerabilities between units within the organization to penetrate and establish permanency in local networks.
Metrics:
CVSS scoring
Common vulnerability prevalence between units
Arrival rate of vulnerabilities
Flow Analysis:
Response to scanning
Usage of vulnerable services between units
Measuring dependencies between units
Mateski, M. et. al. “Cyber Threat Metics.” Technical Report SAND Sandia National Labs. March 2012.

9. Summary
Pivoting between data can enable advanced analysis Metrics focus the interaction Configuration information for structural view Traffic information for dependency view Combined information for threat view